1RASPLIT(1) General Commands Manual RASPLIT(1)
2
6 rasplit - split argus(8) data.
7
9 rasplit [[-M splitmode] [splitmode options]] [raoptions] [-- filter-
10 expression]
11
13 Rasplit reads argus data from an argus-data source, and splits the
14 resulting output into consecutive sections of records based on size,
15 count time, or flow event, writing the output into a set of output-
16 files. By default, rasplit puts 10,000 records of input into each
17 argus output file, or standard out.
18 The output files' name consists of a prefix, which is specified using
20 the -w ra option, and a suffix, which is created for each resulting
21 file. If no prefix is provided, then rasplit will use 'x' as the
22 default prefix. The suffix that is used is determined by the mode of
23 operation. When rasplit is using the default count mode or the size
24 mode, the suffix is a group of letters 'aa', ´ab´, and so on, such that
25 concatenating the output files in sorted order by file name produces
26 the original input file. If rasplit will need to create more output
27 files than are allowed by the default suffix strategy, more letters
28 will be added, in order to accomodate the needed files. When the mode
29 is time mode, the default output filename suffix is
30 '%Y.%m.%d.%h.%m.%s', which is used by strftime() to create an output
31 filename that is time oriented. This default is overrided by adding a
32 '%' extension to the name provided on the commandline using the -w
33 option.
34 When standard out is specified, using -w -, rasplit will output a sin‐
36 gle argus-stream with START and STOP argus management records inserted
37 appropriately to indicate where the output is split. See argus(8) for
38 more information on output stream formats.
39 When rasplit is spliting on output record count (the default), the num‐
41 ber of records is specified as an ordinal counter, the default is
42 10,000 records. When rasplit is spliting based on the maximum output
43 file size, the size is specified as bytes. The scale of the bytes can
44 be specified by appending 'b', 'k' and 'm' to the number provided.
45 When rasplit is spliting based on time, the time period is specified
47 with the option, and can be any period based in seconds (s), minutes
48 (m), hours (h), days (d), weeks (w), months (M) or years (y). Rasplit
49 will create and modify records as required to split on prescribed time
50 boundaries. If any record spans a time boundary, the record is split
51 and the metrics are adjusted using a uniform distribution model to dis‐
52 tribute the statistics between the two records. Care is taken to avoid
53 records with zero packet and byte counts, that could result from round‐
54 off error.
55 When rasplit is spliting based on flow event, the flow that acts as the
57 event marker is specified using a standard ra filter expression, that
58 is bounded by quotes ("). Records that preceed the first flow event in
59 the data stream are written to the specified output file, and then new
60 files are generated with the flow event record being the first record
61 of the new file. This method will allow you to use wire events as
62 triggers for spliting data.
63
66 Rasplit, like all ra based clients, supports a number of ra options
67 including remote data access, reading from multiple files and filtering
68 of input argus records through a terminating filter expression. ras‐
69 plit(1) specific options are:
70 -a suffix length
72 default is 2 characters.
73 -d Toggle running as a deamon.
75 -M splitmode
77 Supported spliting modes are:
78 count <num>
79 size <size>
80 time <period>
81 flow "filter-expression"
82 -w filename
84 Rasplit supports an extended -w option that allows for output
85 record contents to be inserted into the output filename. Speci‐
86 fied using '$' (dollar) notation, any printable field can be used.
87 Care should be taken to honor any shell escape requirements when
88 specifying on the command line. See ra(1) for the list of print‐
89 able fields.
90 Another extended feature, when using time mode, rasplit will
92 process the supplied filename using strftime(3), so that time
93 fields can be inserted into the resulting output filename.
94
97 This invocation reads argus(8) data from inputfile and splits the
98 argus(8) data stream based on output file size of no greater than 1
99 Megabyte. The resulting output files have a prefix of argus. and suf‐
100 fix that starts with 'aa'. The single trailing '.' is significant.
101 rasplit -r inputfile -M size 1m -w argus.
103 This invocation splits inputfile based on hard 10 minute time bound‐
106 aries. The resulting output files are created with a prefix of /ar‐
107 chive/%Y/%m/%d/argus. and the suffix is %H.%M.%S. The values will be
108 supplied based on the time in the record being written out.
109 rasplit -r * -M time 10m -w "/archive/%Y/%m/%d/argus.%H.%M.%S"
111 This invocation splits inputfile based on the argus source identifier.
114 The resulting output files are created with a prefix of /archive/Source
115 Identifier/argus. and the default suffix starting with "aa". The
116 source identifier will be supplied based on the contents of the record
117 being exported.
118 rasplit -r * -M time 10m -w "/archive/$srcid/argus."
120 This invocation splits inputfile based on a flow event marker. The
122 resulting output files are created with a prefix of 'outfile.' and the
123 default suffix starting with "aa". Whenever a ping to a specific host
124 is seen in the stream, a new output file is generated.
125 rasplit -r * -M flow "echo and host 1.2.3.4" -w outfile.
127
130 Copyright (c) 2000-2016 QoSient. All rights reserved.
131
134 ra(1), rarc(5), argus(8),
135
138 Carter Bullard (carter@qosient.com).
139rasplit 3.0.8 12 August 2003 RASPLIT(1)